Managing Your SMB-IT Without Server

A set of clouds

You have a small business.  You have been running Windows Small Business Server 2003 for six years, and you know that it is time to retire it.  The question is, what should replace it?

Before you make any definitive decisions, why not review what you need your server to do:

  • File Server
  • Mail Server
  • Internet Portal
  • Centralized Management

For the past several years you have paid a consultant to manage the server and your client PCs, and have primarily called him in for break-fix issues.  Maybe you were industrious and decided to learn the basics of IT so you could do a lot of the maintenance yourself.  You might even be a small-business IT consultant who has been managing and maintaining SBS environments for your clients.

You have heard so much about the cloud that you are in a bit of a fog… you know that people are talking about cloud-services, but haven’t quite figured out how they can work for you… to save you money, to earn you money.

Replacing the Server

For most small businesses I still recommend a centralized server; Active Directory is still the best mechanism you will find for centralized user management, and Group Policy allows you to lock down your environment.

With that being said, many of the functionalities offered in Microsoft Small Business Server are now available as part of two cloud-services offerings from Microsoft.  Microsoft Office 365 offers all of the functionality listed above (File Server, Mail Server, Internet Portal) and much more.  It is actually all of the following products in the cloud:

Office 365 allows you to have the functionality of all of these tools… without having to purchase or maintain them.  It also means that you will always have the latest versions of all of these… without having to upgrade.  ‘Your servers’ will be maintained by the Microsoft IT team, without your having to pay them hundreds of dollars per hour.  If any of your services go down (and admittedly they do occasionally) you can rest assured that before you even discover the outage the people who know the products best will already be well on their way to fixing the issues.

Managing the Desktop

Between the operating system and the applications, there is a lot of work that goes into the proper maintenance of your PCs.  That includes anti-malware, patch management, policies, and more.  Additionally being able to generate and view reports is a huge benefit – as I always say If you cannot measure it, you cannot manage it!

So Before we get into application side of things,  let’s discuss the benefits of the second cloud-services offering, Windows InTune.  InTune installs as a simple agent on your Windows PC, and the list of benefits is amazing:

  • Upgrade rights to Windows 7 Enterprise
  • Windows InTune Endpoint Protection (centralized anti-malware solution)
  • Centralized Patch Management
  • Policy Deployment
  • Application Deployment
  • Device Reporting
  • Alerts
  • License Management

When you subscribe to Windows InTune (per-PC subscription) you get the right to upgrade your legacy Windows client (Professional/Business/Enterprise SKUs) to Windows 7 Enterprise.  Right there you have the basis for the common operating system required to simplify management.

Windows 7 Enterprise Edition includes two features that Business Edition does not:

  1. Multiple language support; and
  2. BitLocker drive encryption technology

With the preponderance of mobile computing these days, as well as organizations doing business around the world, there is no question that Windows 7 Enterprise is an easier feature-by-feature sell than the lower-priced options, but that lower price seems to be a deciding factor so often.  With the Use Rights in Windows InTune you don’t have to settle.

Once the Windows InTune agent is deployed on a PC it will start populating the individual computer’s information to the InTune system, and you will be able to get a better idea of what you have.  On the Devices screen you will be able to see:

Computer Name Total Disk Space CPU Speed
Chassis Type Used Disk Space Last User to Log On
Manufacturer & Model Free Disk Space Serial Number
Operating System Physical Memory Last Hardware Status

imageIncluded in the Windows InTune installation is the Windows Intune Endpoint Protection engine, which will protect your PCs from malware.  It uses the built-in patch management system to keep the definitions up to date, and offers real-time protection, as well as centralized reporting and e-mail alerts to the Help Desk / Support Team / IT Guy when a computer is infected.

InTune 2.0 added the ability to centrally deploy applications to client PCs.  InTune 3.0 adds an extra to this – the ability for end-users to install published applications on-demand.  The new Company Portal allows users to help themselves on-line, before eventually ‘escalating the call’ to you.

Users can also deploy their own client from the portal, assuming they have the proper credentials.  This allows them to download a client using their corporate credentials, rather than you having to send them the file (along with the ACCOUNTCERT file) which would allow anyone (in theory) to install on any device that would automatically be managed by… you.

By far the most common application suite found on desktops in the workplace is Microsoft Office.  The most common complaint I hear about Office is the cost (followed by the difficult to understand SKUs).  Of course, with Office in the name it is no wonder that it is part of Office 365.

Of course there are several different SKUs to Office 365, and each one has different offerings.  The small business SKU (P1) costs $6/month, and does not include the installable suite.  However it does include Office Web Apps, which means you can create and edit Word documents, Excel spreadsheets, PowerPoint presentations, and of course use OneNote… all within your web browser.  This is great if you work on multiple systems, or if you are ever remote and need to work on a document.  The convenience loses its thrill when you realize you cannot work if you don’t have an Internet connection.

The E1, E2, and E3 SKUs do come with the client software, so if that is a requirement then those SKUs (which cost quite a bit more) are probably better for you.

Why you should consider maintaining a server on-site

Our mail server is gone… so are our SharePoint and File Servers.  Why then would I still recommend a small server in a small business environment? There are several reasons.

  1. Active Directory.  As I mentioned earlier in the article, AD is a great way to centralize security and credentials.  Additionally there are plenty of hooks from Active Directory into Office 365 (which can be covered in a later article).
  2. Deployment Server.  Microsoft Deployment Toolkit 2012 is the perfect companion to your new Windows 7 Enterprise licenses.  In under an hour you can create a deployment point that will deploy Windows and all of your applications (including the Lync Client and the Windows InTune agent) in fifteen minutes (or less).  It is by far the easiest way to deploy Windows to your desktops, laptops, and even tablets!
  3. Hyper-V.  Although many of our applications will be installed directly onto the laptop, many companies still have server-based applications that require an application server.  Hyper-V is the best way to create those servers on-site, for a plethora of reasons that have been outlined ad nauseum previously at www.garvis.ca, and countless other sites.  Of course, your virtualized application servers can run any version of the Windows Server operating system, but they can also run any supported client OS, as well as several iterations of Linux (supported and enlightened) and any other x86-based OS (neither supported nor enlightened).
  4. Group Policy.  Although Windows InTune v3 has much better policy support than its predecessors, there is no denying that Group Policy is the best way to granularly control, configure, and secure your client and server environments.  Whether you want to enforce secure passwords, BitLocker, or simply set a centralized screen saver and desktop wallpaper, the best way to do it is by creating a GPO in Active Directory.

As you see the combination of cloud-based services from Microsoft and an on-line Windows Server are the best way to manage your entire SMB IT infrastructure, but even if you are not going to maintain an on-premise server the cloud-based services can manage most of the needs of most SMBs.

By the way, there is one more advantage to these solutions… you will always have the latest and greatest.  Right now the Windows InTune subscription comes with use rights for Windows 7 Enterprise.  When Windows 8 is released, you will automatically have access to that platform.  Office 365 comes with Office 2010… but when the next version is released you will have that version right away too!

Interested in hearing more?  Drop me a line and we’ll talk… or you can check out www.windowsintune.com and www.office365.com to download 30-day trials of each!

A Dichotomy of IT Conferences

As I fly south from Toronto I am heading to two separate and very different conferences.  I am new to neither one, and am looking forward to both.  As they are very different conferences, I am looking forward to them both in very different ways.

SBS Migration – A Party with a Conference Theme

The first conference has several different names – the SBS Migration Conference, The IT Conference, or Jeff Middleton’s Conference.  This is a conference organized by Jeff to be by the community and for the community.  Indeed, all of the speakers are MVPs and none of us are being paid for the pleasure, we do it to give back to a group of our peers.

It has been several years since I have touched Windows Small Business Server, but I made a lot of friends while I was involved with that group, and when I can I always accept speaking at both Jeff’s and Harry Brelsford’s conferences.  It gives me the opportunity to see a lot of old friends, make some new ones, and again give back what I can.  If you ask some of the more passionate SBS crowd then may imply that I am actually there to convert people to Enterprise IT products and practices, and while that may not be entirely true I do admit that if I convince just one of them that you need more than one domain controller in your environment, and that wizards are not the panacea some think they are then I am not displeased.

If you have never been to New Orleans then you are missing out on a unique experience.  It is an incredible city that has to be experienced firsthand to understand and appreciate.  I have been there twice, and I admit I am looking forward to it because on my previous (multiple but adjacent) visits I was not able to experience two aspects of the city, owing to the fact that I was there the two weeks before my Black Belt test in 2010; I was neither eating nor drinking, and in a city known for its cuisine and its alcohol in the streets party every night, that was just a shame.

It is now two years later and while I will be watching what I eat and drink, I will not be denying myself good meals and the occasional drink.  I am also bringing my wife, which means we can enjoy what the city has to offer together, and I will not feel guilty (as I so often do) that I am experiencing things without her.

Oh yeah… the conference.  I will be participating in a number of panels, and will be presenting an abridged version of my VDI presentation that discusses Hyper-V, Windows 7, Citrix Xen Desktop, and the whole BYOD (Bring Your Own Device) story for businesses.  I forgot that I have to dance for my dinner, and that is my price of admission 🙂

The conference has a unique twist to it… after three days of learning Jeff feels there is no better way to unwind than for the entire group to get onto a cruise ship and sail to the Bahamas.  While I applaud his sentiment, I bemoan his timing.  After three days ‘with the gang’ Theresa will be flying home, and I will be heading to Orlando for my next conference…

Microsoft TechEd North America 2012

TechEd is considered by many the premiere IT Pro conference every year.  This year will be special for several reasons, not the least of which is that it is the twentieth anniversary of the landmark event, and I am sure that there will be no shortage of festivities commemorating that.

The second (and for me more important) reason why TechEd is going to be special this year is all of the product launches (on the IT Pro side) in 2012.  While end-users will likely focus on the new Windows 8 client that is set to launch sometime this year, IT professionals like myself are probably more excited about the new Windows Server 2012 (set to launch around the same time) and System Center 2012 (which was released in April).  In other words the vast majority of tools that I use and support are new and improved, and it is important to get out there and learn about the new features from the experts.

I will not be speaking at TechEd this year, and for the first time in the five years that I have been going I will not be working either.  Unlike years past I am showing up at the show with a fully paid ticket, and my only obligations are to learn.  That is very exciting for me – no booth duty schedules to coordinate!

That is not entirely true… I actually have three commitments at TechEd.  The first, I have been selected to compete in an event called Speaker Idol.  Modeled after American Idol, contestants compete as public speakers – more accurate, they compete as IT presenters.  There are three criteria to be considered a potential candidate: You must be attending TechEd (nobody is paying your travel or show pass), you must never have spoken at any TechEd event, and you cannot be a Microsoft employee.  The competition is always run by Richard Campbell and his partner in crime.  I do not know who the judges are, but I do know that Sean Kearney is going to be my biggest fan, and that he has already created several promotional videos that are up on YouTube.  The first prize, I understand, is an invitation to speak at TechEd next year, which would be cool.

My second ‘obligation’ at TechEd is the Windows Community Party – or Springboard Party as we usually call it.  For the last three years this has been the most sought after ticket of the week, and for the second year in a row I have been asked to man the door.  I guess Stephen Rose knows that not a lot of people are going to mess with me – either physically or verbally – and get away with it.  Attendance numbers are strictly controlled for several reasons, including cost and venue capacity.  It is always a blast, and I am counting down until Wednesday evening when we get to ‘get jiggy with the Windows fans’.

My last obligation is of my own making.  I do a lot of work with Microsoft Canada, and when I found out that none of the IT Evangelists would be attending the show this year, I asked ‘then who’s going to organize the Canadians Get Together that we all loved last year?’  Damir and Ruth asked if I would be willing to do it, and I agreed.  There is now an open invitation to all Canadians for Tuesday evening (late afternoon really) to join us for drinks and appetizers.  The time has been set, but the venue has not.  It will be one of the hotel bars to be sure, but which one will be determined on Sunday.  This has less to do with mystique and allure than the fact that I haven’t been to Orlando in five years and don’t remember which hotel bars are convenient.

All in all it will be a fun ten days.  I am sure I will be blogging about both events extensively so stay tuned… while I am not doing away with the Taekwondo talk, I am now back on track and focusing on IT and the IT Community!

Virtualizing your Domain Controllers

I am asked all the time what the best practices are for domain controllers in a virtualized environment.  There are several that I will call out, but let’s begin with the simplest rule.

You should never have ONE domain controller.

This rule is not only true in virtualized environments, it is always true.  If you are too small to have a domain that is fine, but if you have a domain you should have two DCs.  If you run Windows Small Business Server that rule is just as true – join a second server to the domain and promote it.  YES IT DOES WORK, please don’t argue it again! Smile

You can absolutely virtualize your domain controllers.

I hear this question from people all of the time… and the reality is that there is nothing wrong with virtualizing your DCs.  If the main concern is the Time Synchronization issue, then there is a simple answer for that.  Your Active Directory domain resources will not be able to authenticate if the time is off by more than 300 seconds (5 minutes).  However that skew is from the domain, and not your wrist watch.  If your radio says it is 3:15pm and your domain says that it is 10:38am, the only thing that matters is that your network resources think that it is between 10:34 and 10:42. 

In simple terms, if one time resource is off it is bad… if ALL of your time resources are off, it’s not.  This theory may fall down with external resources – I have noticed that Twitter (or at least many Twitter clients) are sticklers for time, and if you are off then you will not be able to authenticate.  Lync can also be an issue, and I am sure there are dozens of other externally provided services that will cause issues.  However internally as long as your client and your server have the same wrong time, you’ll be fine.

So with that being said, my tendency is to select one domain controller and configure it to synchronize with an external time server.  I will then create a GPO in my domains to use that server as the authoritative time source for the entire network.  That prevents all manner of things from going wrong if you find the time is off.

Your Domain Controllers should be just that… and not much else!

Your DC should not be a file server, database server, media server, deployment server, update server… there are only three services that my domain controllers generally perform: Active Directory Domain Services, Domain Naming Service (DNS) server, and Distributed Host Configuration Protocol (DHCP) servers.  In my networks these three services go together nearly all of the time.  I don’t know of any good reason to put anything else on a domain controller, and every time someone says ‘Well what about…THIS?’ I disagree.

Of course, sometimes you don’t have a choice… Windows Small Business Server is a good example of that, but as you have likely heard me say before, SBS out of the box forces you to break a lot of rules that are simply not meant to be broken.  If you ever hear me discuss it I have said there are ways to make it more palatable… but that does not change the facts.  This is one reason I always tell my classes that it is easier for an enterprise administrator to adapt to small business IT than it is the reverse… the good habits of the enterprise admin will never hurt the SBS (although they may be considered overkill); some of the habits of small business IT Pros can, conversely, do serious damage to the enterprise IT environment.

Don’t P2V your domain controllers.

This rule is not as clear-cut as the others, but calls on some of them.  I do not believe in performing physical to virtual (P2V) migrations of domain controllers.  If an organization does have a physical domain controller that they would like to retire, I feel the following is a much safer and cleaner practice:

  1. Before you begin (as much as 10-14 days in advance) I will reconfigure the DHCP scope on the server in question to shorten the address length from whatever is currently in place (by default 8 days) to 1 hour.  This will prevent or at least minimize problems later on.
  2. When you are ready, create a new virtual machine and install the operating system.  Make sure you patch it to the most recent service pack, and apply all applicable critical and security patches.
  3. Join the new server to the domain, and promote it to domain controller.  Assuming you are on Windows Server 2008 R2 Service Pack 1 (which you should be by now!) you need to install the Active Directory Domain Services role, but the dcpromo.exe command will do that for you.
  4. After the server reboots, it will begin to synchronize with the Active Directory.  Remember, since AD is a distributed database, when you add a new server to the mix it will simply (over a period of time directly related to the size of your organization, factoring for network bandwidth issues) receive a complete copy of the AD that will be identical (upon completion) to the original server.  DNS will do the same thing, as long as you a) install the DNS role when you promote the server, and b) your DNS Zones are configured as Active Directory Integrated.
  5. Install and configure the DHCP Server role in the new domain controller.  If you have room to grow with your IP addresses I would recommend creating a completely different scope, but if you are tight then creating an overlapping scope will only cause very temporary headaches, most of which will be mitigated by doing this switchover during off-peak hours.  Remember to copy any reservations from the original server, especially when you have devices (such as printers) that require specific addresses.  Also, do not forget to verify that all of your Scope Options are properly configured.
  6. Stop the DHCP Server service on the original server (net stop “DHCP Server”).  Again, If your scopes are overlapping be sure to do this during off-peak hours.
  7. If the physical box held any of the Flexible Single Master Operations (FSMO) roles then you should transfer them to the new server, or to another domain controller in the organization.  If you forget to do this they can later be seized, but this is the easiest and least intrusive way of doing it.
  8. You can leave your source DC on for a week or two, but after a day or so I would usually power it down; don’t reformat it or throw it out just yet, but at this point you are ready to go!

One of the rules of P2V Migrations is GIGO: Garbage In, Garbage Out.  In other words, any legacy issues you may have had previously – whether it’s clutter, breaks, bugs, or whatnot – goes with you.  With the distributed database replication model of Active Directory you get to start fresh, with all of your data. 

This method is also a great way of upgrading a DC from Windows Server 2003 to Server 2008 R2 – rather than do an in-place upgrade, you can simply do the side-by-side virtualization dance.  It won’t change your schema or upgrade your Domain (or Forest) Function Level, although if it is the first 2008 R2 domain controller in your domain you will have to run a couple of scripts to prepare the domain by running the following commands:

(On the server that holds the Schema Master FSMO role): adprep /forestprep

(On the server that holds the Infrastructure Operations Master FSMO role): adprep /domainprep /gpprep

That’s about it… as I mentioned, there may be exceptions if your DC is doing something that (according to my guidelines) it is not supposed to be doing, but then again this may be a great opportunity for you to step in line with best practices and separate other roles from the domain controller.

No go forth and virtualize your Active Directory Domain Controllers!

Virtualization Lessons–Both Positive and Negative!

As I sit in the back of the room for Microsoft Canada’s Virtualization Boot Camp Challenge today I see that the lab environments that we are providing to the attendees actually mimics the setup I use for my Virtual Partner Technology Advisor (vPTA) sessions.  As such, I am seeing a lot of potential for attendees to learn a lot of great technologies, but there are a few lessons that they should know.  I outlined these in an article last year called ‘vPTA: What NOT to take away from my 1-day virtualization training.’  I will urge all of the attendees (as well as all of you!) to click on the link and read the article. While a lot of the practices we use are fine for a test/lab environment, you should be aware of them before you try to implement them in your production environment!

I have written a bunch of other articles that are pertinent to the discussion… here are just some of those links:

How to get a head start on the NEW Management and Virtualization Competency

Layer 1 or Layer 2 Hypervisor? A common misconception of Hyper-V, and a brief explanation of the Parent Partition

Virtualization Infrastructure: Which platform is right for you?

Microsoft Virtualization Learning Resources

Hyper-V Training – 10215AE is now available in E-Learning!

Real Help in A Virtual World

Busting the Myth: You cannot cluster Windows Small Business Server

A follow-up to my article on configuring iSCSI initiator in Server Core & Hyper-V Server

A brief response to the vSphere 5 vs. Hyper-V question…

Gartner agrees with me… Hyper-V is for real!

Do you have your Virtcerts?

MCITP: Virtualization Administrator 2008 R2 (and other R2 Virt Certs)